This challenge is about a binary with a custom implemented heap. With a use after free, it is possible to corrupt the double linked free list and have the address of a chunk written at an arbitrary address. With that we overwrite the saved return pointer with the address of the shellcode and pop a shell.

Here is a write-up for the forced-puns challenge of the first Google CTF that was held that past weekend. The binary suffers from a buffer overflow vulnerability on the heap that allows the overwrite of the top chunk to perform the house of force heap exploitation technique. The binary also leaks a heap address that leads to a leak of an address in the .text segment and finally a libc address. With all that information, it is possible to overwrite a pointer in the .got table with the address of system to execute a shell. It was fun to tackle an ARM binary for the first time!

BlazeCTF seems to be underrated because the challenge were very demanding and fun! That challenge is about leveraging the possibility to write addresses returned by malloc anywhere in the memory. I used that issue, to leak a heap address, a libc address and a stack address, to trick malloc into giving me a pointer on the stack and by overwriting the saved return pointer.

Here is another solution to a pwn challenge. They is no vulnerability per say, but a rather interesting way of getting code execution through floating point arithmetics.

Here is a solution to the second pwn challenge butterfly. This is not your usual buffer overflow, but rather a nice demonstration on how bit flips can be dangerous!

Last weekend was held the PlaidCTF, as usual with high quality and very demanding challenges to solve. Here is a solution to the first pwn challenge unix_time_formatter. This entry level pwnabel challenge proposes a use-after-free vulnerability that is used to inject commands in a call to system

The qualifications for the Nuit du Hack CTF were held this weekend. It proposed there pwnable challenges. That one involved an ELF 32-bit binary with a buffer overflow on the stack that is used to push a ROP chain to execute a shell and finally get to flag.

OK this is a bad pun to a rather nice movie. You may already have heard of the magic gadget that exists to rule them all, more seriously, a gadget located in the libc that executes a shell by itself. The problem is that depending on the Linux distribution and the version of the libc, it might be located at different places and have different instructions. Therefore we can’t just search for a sequence of bytes. In this blog post, I propose a rather easy and lightweight method of finding it with Radare 2. Happy hunting!

This is the third and final pwn of VolgaCTF. ASLR is now activated, which would not have changed the outcome of the two previous challenges, therefore there must be something else…

This is the second pwn of VolgaCTF; it is based on Web of Science. Stay tuned for the write-up for the third and final one.

VolgaCTF had only three pwnable challenges that were base on the same binary. Their idea was to increase the difficulty little by little by adding security features at each phase:

Now that the Simple Calc is done, let’s try the complex one!

Here is the first pwn challenge of the Boston Key Party CTF. Stay tuned for the writeup of the Complex Calc challenge.

I recently had to debug an iOS application. As I am more a GNU/Linux user than an OS X one, I wanted to do it from my Linux machine. The easiest way would be to remotely debug over WiFi, but this might get quite frustrating, because of the recurring connection interruptions. Good news everyone: it is possible to do it over USB!

I had the possiblity to play a few hours on TUM CTF Teaser. It was nicely organized and the challenges were fun to solve - even for the easy ones. Here is the first write-up I am going to publish for that CTF.